How to Configure GlobalProtect for Customer Registry Check on Windows
16791
Created On 12/22/21 20:43 PM - Last Modified 12/22/21 21:41 PM
Environment
- Palo Alto Networks firewall on PAN-OS 10.0+
- Existing GlobalProtect infrastructure
- Proper licensing
Resolution
- Configure GlobalProtect to check for the Windows registry key
- Launch Regedit on the Windows endpoint and retrieve the registry value which you'll be using
Note: In our example we will be using HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER GraphFile \\psistest.grf
- Within PAN-OS, navigate to Network > GlobalProtect > Portals > "Select Portal" > Agent > "Select Config"
- After selecting the appropriate configuration, navigate to HIP Data Collection > Custom Checks > Windows and select "Add" under "REGISTRY KEY"
- Enter the registry key chosen earlier in the "Registry Key" field and the associated value in the "Registry Value" field and then select OK
Note: In our example, we're using the values selected in step 1
- Next, configure the HIP object that will be used to match against the endpoints by navigating to Objects > GlobalProtect > HIP Objects > select Add and then specify a name for the Object
- Then select the "Custom Checks" tab, select the Checkbox to enable custom checks, choose the Registry Key tab, and click Add
- Specify the chosen registry key from step 1 in the Registry Key field, select Add, specify the key value and data in the appropriate fields as shown below, and then select OK
- Now configure the HIP profile by navigating to Objects > GlobalProtect > HIP Profiles select Add and provide a name
- Then select "Add Match Criteria", choose the Object created in step 5, and then select OK
- Commit your changes
- Verify the Endpoint matches the configured HIP profile
- Upon a successful connection to GlobalProtect Portal and Gateway, we should see a match to our profile by navigating to Monitor > Logs > HIP Match and filtering by the appropriate user
- You can also view this output via the cli by issue the following command: debug user-id dump hip-report computer <computer-name> user <username> ip <user-IP>
admin@PA-VM> debug user-id dump hip-report computer DESKTOP-PMINSSO user testuser ip 192.168.100.2 <?xml version="1.0" encoding="UTF-8"?> <hip-report> <md5-sum>ecdf6c7058d9ec8b60c783c0a59d2bb1</md5-sum> <user-name>testuser</user-name> <domain>(empty_domain)</domain> <host-name>DESKTOP-PMINSSO</host-name> <host-id>30b6dc89-07d5-4bda-b946-9b28ad9eaefc</host-id> <ip-address>192.168.100.2</ip-address> <ipv6-address></ipv6-address> <generate-time>12/22/2021 12:14:23</generate-time> <hip-report-version>4</hip-report-version> <categories> <entry name="host-info"> <<<<<< OMITTED FOR BREVITY >>>>>> </categories> <custom-checks> <registry-key> <entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER"> <exist>yes</exist> <value></value> <registry-value> <entry name="GraphFile"> <exist>yes</exist> <value>\\psistest.grf</value> </entry> </registry-value> </entry> </registry-key> </custom-checks> </hip-report>
- Use the HIP profile in the Security Policy
- After you've confirmed the endpoint successfully matches the object, you can add this to your preferred Security policy rule by navigating to Policies > Security > "Select security policy" > Source > Source Device > Select Add and then choose the HIP profile configured in step 8